[Bro] Bro drop packets while not using CPU at full capacity
Hashem Alaidaros
aidaros.dev at gmail.com
Sat Jun 25 04:05:59 PDT 2016
Thanks Dave,
I couldn't get what you mean. How stats.bro calculate CPU usage, is it per
core utilization? My bro machine is quad-core with hypertheading enabled,
means 8 logical cores. So, if one core is fully utilized then stats should
report 12.5% (100/8), not 40% or 60% as in my case. How my Bro report 60%
CPU with 20% drop packet rate reported? Is there any reason that make
packet drop?
Anyone could clarify please.
Thanks in advance
On Sat, Jun 25, 2016 at 10:50 AM, Dave Crawford <bro at pingtrip.com> wrote:
> Is it possible that the CPU has two cores and Bro is consuming 100% of one
> core? Some tools average the core utilization to report "CPU usage".
>
> > On Jun 24, 2016, at 7:45 PM, Hashem Alaidaros <aidaros.dev at gmail.com>
> wrote:
> >
> > Hi All
> > I use Bro for my PhD research, I add scripts in Bro and then see the CPU
> and packet drop rate, using @load stats.bro. I'm using Bro 2.3 with
> standard libcap.
> > I use tcpreplay from Machine A to replay the pre-captured traffic into
> Bro multi-core machine B through port mirror switch. I replay the traffic
> from 100 to 1000 Mbps , When reach 200 Mbps and onward, packet start drop
> and increases. Surprisingly, the CPU is not fully utilized, CPU still 40%
> usage. What we know is that drop packet resulted from CPU full load, but in
> our case CPU still less than 50%, so My question, what is the cause of
> this packet drop? Is it normal?
> >
> > Best regards
> > Aidaros
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
--
A friend in need Is a friend indeed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160625/d3594a0a/attachment.html
More information about the Bro
mailing list